(1) No certification authority, whether licensed or not, may conduct its business in a manner that creates an unreasonable risk of loss to subscribers of the certification authority, to persons relying on certificates issued by the certification authority, or to a repository.

(2) The secretary may publish brief statements advising subscribers, persons relying on digital signatures, or other repositories about activities of a certification authority, whether licensed or not, that create a risk prohibited by subsection (1) of this section. The certification authority named in a statement as creating or causing such a risk may protest the publication of the statement by filing a written defense of ten thousand bytes or less. Upon receipt of such a protest, the secretary must publish the protest along with the secretary's statement, and must promptly give the protesting certification authority notice and an opportunity to be heard. Following the hearing, the secretary must rescind the advisory statement if its publication was unwarranted under this section, cancel it if its publication is no longer warranted, continue or amend it if it remains warranted, or take further legal action to eliminate or reduce a risk prohibited by subsection (1) of this section. The secretary must publish its decision in the repository it provides.

(3) In the manner provided by the administrative procedure act, chapter 34.05 RCW, the secretary may issue orders and obtain injunctions or other civil relief to prevent or restrain a certification authority from violating this section, regardless of whether the certification authority is licensed. This section does not create a right of action in a person other than the secretary.